To enable IAP for App Engine, you need the
following:
A Google Cloud console project with billing enabled.
If you don't have your App Engine instance set up already, see
Deploying App Engine
for a complete walkthrough.
IAP uses a Google-managed OAuth client to authenticate users.
Only users within the organization can access the IAP-enabled application.
If you want to allow access to users outside of your organization, see Enable IAP for external applications.
Enabling IAP
Console
The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.
Dynamic include file
If you haven't configured your project's OAuth consent screen, you'll be
prompted to do so. To configure your OAuth consent screen, see
Setting up your OAuth consent screen.
Select the checkbox next to the resource you want to grant access to.
On the right side panel, click Add principal.
In the Add principals dialog that appears, enter the email addresses of groups or
individuals who should have the IAP-secured Web App User role for the project.
The following kinds of principals can have this role:
Google Account: user@gmail.com
Google Group: admins@googlegroups.com
Service account: server@example.gserviceaccount.com
Google Workspace domain: example.com
Make sure to add a Google Account that you have access to.
Select Cloud IAP > IAP-secured Web App User from the Roles
drop-down list.
Click Save.
Turning on IAP
On the Identity-Aware Proxy page, under APPLICATIONS,
find the application you want to restrict
access to. To turn on IAP for a resource,
toggle the on/off switch in the IAP
column.
In the Turn on IAP window that appears, click Turn On to
confirm that you want IAP to secure your resource. After you turn on
IAP, it requires login credentials for all connections to your load balancer.
Only accounts with the IAP-Secured Web App User role on the project will be
given access.
gcloud
Before you set up your project and IAP, you need an up-to-date version of the
gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.
To authenticate, use the Google Cloud CLI and run the following command.
gcloud auth login
Click the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to protect with IAP.
gcloud config set project PROJECT_ID
To enable IAP, run the following command.
gcloud iap web enable --resource-type=app-engine --versions=version
Add principals who should have the IAP-secured Web App user role to the project.
Replace PRINCIPAL_IDENTIFIER with the necessary principals. This can be a
type of domain, group, serviceAccount, or user. For example,
user:myemail@example.com.
After you enable IAP, you can use the gcloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
API
Run the following command to prepare a settings.json file.
After you enable IAP, you can use the Google Cloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
Test user authentication
Access the app URL from a Google account that you added to
IAP with the IAP-secured Web App User role
as described above. You should have unrestricted access to the app.
Use an incognito window in Chrome to access the app and sign in when
prompted. If you try to access the app with an account that isn't authorized
with the IAP-secured Web App User role, you'll see a message
saying that you don't have access.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-19 UTC."],[],[],null,["# Enabling IAP for App Engine\n\nThis page explains how to secure an App Engine instance with\n[Identity-Aware Proxy (IAP)](/iap/docs/concepts-overview).\n\nBefore you begin\n----------------\n\nTo enable IAP for App Engine, you need the\nfollowing:\n\n- A Google Cloud console project with billing enabled.\n\nIf you don't have your App Engine instance set up already, see\n[Deploying App Engine](/build/docs/deploying-builds/deploy-appengine)\nfor a complete walkthrough.\n\nIAP uses a Google-managed OAuth client to authenticate users.\nOnly users within the organization can access the IAP-enabled application.\nIf you want to allow access to users outside of your organization, see [Enable IAP for external applications](/iap/docs/custom-oauth-configuration).\n| **Note:** The ability to authenticate users with a Google-managed OAuth client is available in [Preview](/products#product-launch-stages).\n\nEnabling IAP\n------------\n\n### Console\n\nThe Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.\n\n\nDynamic include file\n\n\nIf you haven't configured your project's OAuth consent screen, you'll be\nprompted to do so. To configure your OAuth consent screen, see\n[Setting up your OAuth consent screen](https://support.google.com/cloud/answer/10311615).\n\n### Setting up IAP access\n\n1. Go to the [Identity-Aware Proxy page](https://console.cloud.google.com/security/iap). \n [Go to the Identity-Aware Proxy page](https://console.cloud.google.com/security/iap)\n2. Select the project you want to secure with IAP.\n3. Select the checkbox next to the resource you want to grant access to.\n4. On the right side panel, click **Add principal**.\n5. In the **Add principals** dialog that appears, enter the email addresses of groups or individuals who should have the **IAP-secured Web App User** role for the project.\n\n The following kinds of principals can have this role:\n - **Google Account**: user@gmail.com\n - **Google Group**: admins@googlegroups.com\n - **Service account**: server@example.gserviceaccount.com\n - **Google Workspace domain**: example.com\n\n Make sure to add a Google Account that you have access to.\n6. Select **Cloud IAP \\\u003e IAP-secured Web App User** from the **Roles** drop-down list.\n7. Click **Save**.\n\n### Turning on IAP\n\n1. On the **Identity-Aware Proxy** page, under **APPLICATIONS** , find the application you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the **IAP** column. \n2. In the **Turn on IAP** window that appears, click **Turn On** to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the **IAP-Secured Web App User** role on the project will be given access.\n\n\u003cbr /\u003e\n\n### gcloud\n\nBefore you set up your project and IAP, you need an up-to-date version of the\ngcloud CLI. For instructions on how to install the gcloud CLI, see [Install the gcloud CLI](/sdk/downloads).\n\n1. To authenticate, use the Google Cloud CLI and run the following command. \n\n gcloud auth login\n\n2. Click the URL that appears and sign in.\n3. After you sign in, copy the verification code that appears and paste it in the command line.\n4. Run the following command to specify the project that contains the applications that you want to protect with IAP. \n\n gcloud config set project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n5. To enable IAP, run the following command. \n\n gcloud iap web enable --resource-type=app-engine --versions=\u003cvar translate=\"no\"\u003eversion\u003c/var\u003e\n\n6. Add principals who should have the IAP-secured Web App user role to the project. \n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\u003cvar translate=\"no\"\u003ePRINCIPAL_IDENTIFIER\u003c/var\u003e \\\n --role=roles/iap.httpsResourceAccessor\n\n - Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n - Replace \u003cvar translate=\"no\"\u003ePRINCIPAL_IDENTIFIER\u003c/var\u003e with the necessary principals. This can be a type of domain, group, serviceAccount, or user. For example, `user:myemail@example.com`.\n\nAfter you enable IAP, you can use the gcloud CLI to modify the\nIAP access policy using the IAM role\n`roles/iap.httpsResourceAccessor`. Learn more about\n[managing roles and permissions](/iam/docs/granting-changing-revoking-access).\n\n### API\n\n1. Run the following command to prepare a `settings.json` file.\n\n ```\n cat \u003c\u003c EOF \u003e settings.json\n {\n \"iap\":\n {\n \"enabled\":true\n }\n }\n EOF\n ```\n\n \u003cbr /\u003e\n\n2. Run the following command to enable IAP.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @settings.json \\\n \"https://appengine.googleapis.com/v1/apps/PROJECT_ID?updateMask=iap\"\n ```\n\n \u003cbr /\u003e\n\nAfter you enable IAP, you can use the Google Cloud CLI to modify the\nIAP access policy using the IAM role\n`roles/iap.httpsResourceAccessor`. Learn more about\n[managing roles and permissions](/iam/docs/granting-changing-revoking-access).\n| **Note:** When a App Engine application consists of multiple services, in order to make some services publicly-accessible and keep others restricted, enable IAP on the entire application, then grant the **IAP-secured Web App User** role to \\`allUsers\\` or \\`allAuthenticatedUsers\\` on the services that should be publicly-accessible.\n| **Role-based access:** If you're a project owner, you may think that you get automatic access to the app. That is not the case as only accounts with the **IAP-secured Web App User** role on this project will be given access. Imagine you're in corporate IT implementing IAP access to the HR payroll system. In most scenarios, only the staff on the Payroll team should have access to the app. This is one of the reasons why role-based access is more secure. The owner (or editor, etc.) of a project can manage all aspects of the project but doesn't automatically get app access.\n\nTest user authentication\n------------------------\n\n1. Access the app URL from a Google account that you added to\n IAP with the **IAP-secured Web App User** role\n as described above. You should have unrestricted access to the app.\n\n2. Use an incognito window in Chrome to access the app and sign in when\n prompted. If you try to access the app with an account that isn't authorized\n with the **IAP-secured Web App User** role, you'll see a message\n saying that you don't have access."]]
